The incident raises considerations for security for critical data housed in third-party infrastructure, researchers say.
Almost 79,400 MyRepublic mobile subscribers have been caught up in a data breach that exposed a range of personal information, the company has confirmed.
The Singapore-based ISP and mobile provider said that an “unauthorized data access incident” took place on August 29. The intrusion in question was aimed at a third-party data storage platform used to store the personal data of MyRepublic’s mobile customers, the firm noted, in a Friday website notice.
The affected data includes various forms of proof of identification, the carrier acknowledged:
- Singapore citizens, permanent residents and employment and dependent pass holders: Scanned copies of both sides of their National Registration Identity Cards (NRICs), which are compulsory identity documents issued to citizens and permanent residents of Singapore. NRICs include names, pictures, dates of birth, addresses, countries of origin, race and gender;
- Foreign residents: Proof of residential address documents, e.g. scanned copies of a utility bill; which would also include;
- For customers porting an existing mobile service: Names and mobile numbers.
Account numbers and payment information weren’t affected, MyRepublic said, and none of the company’s internal infrastructure was compromised.
Setu Kulkarni, vice president of strategy at NTT Application Security, told Threatpost that he had some questions as to how the data was being protected.
“Basic confidentiality, integrity and availability (CIA) principles continue to be ignored resulting in ‘data incidents’ like this,” Kulkarni said. “While this incident is reported as unauthorized data access, which is serious enough, it likely points to an even more serious systemic issue with the way security for this critical data at rest is being implemented.”
This consideration comes into even greater focus when it comes to securing data housed in third-party infrastructure.
“Although there is an ongoing investigation into the incident, electronic breaches such as this highlight an ominous trend,” Simon Aldama, principal security advisor at Netenrich, told Threatpost. “Fifty-one percent of business have endured data breaches caused by threat actors subverting a vendor, partner or suppliers’ infrastructure, the most notable being Accellion, Audi and Volkswagen. The largest reason for this trend is that organizations focus more on post-breach incident, continuity and crisis management rather than pre-breach risk workstreams like asset, vulnerability and threat management.”
Organizations utilizing third parties for sensitive data storage, processing and transfer require accountability through contractual agreements between business-to-business relationships, he added.
“Managing vendor and partner risk requires attestations proving they’ve employed risk management practices and proper implementation of technology to protect personally identifiable information such as National Registration Identity Card information,” he noted. “In the end, financial losses, litigation, and compliance penalties are far greater in cost than the strategic investments required to prevent the incident occurring in the first place.”
Data Now Secured
The incident has been contained, MyRepublic said, because “the unauthorized access to the data storage facility has since been secured. The firm added that it contacted Singapore’s Infocomm Media Development Authority and Personal Data Protection Commission to help get to the bottom of the attack, while tapping KPMG in Singapore to “work closely with MyRepublic’s internal IT and Network teams to resolve the incident.”
“The privacy and security of our customers are extremely important to us at MyRepublic,” Malcolm Rodrigues, CEO at MyRepublic, said in the website statement. “Like you, we are disappointed with what has happened, and I would like to personally apologize for any inconvenience caused.”
He added, “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.”
MyRepublic is offering the de rigeur complimentary credit-monitoring service for affected customers, through Credit Bureau Singapore (CBS), and said that it’s reviewing its systems and processes, both internal and external, to shore up any cybersecurity efforts that it needs to.
Howard Ting, CEO at Cyberhaven, noted that this last point is critical for the provider moving forward.
“This breach is the latest in a string of examples that highlights how most services today involve a supply chain of vendors that can have access to our data,” Ting told Threatpost. “This is an important issue for individuals as well as enterprises. Too often, organizations have no visibility behind the curtain into how their service providers handle and protect their data. This demonstrates the need for more transparency and auditability so that customers can know the risk to their data.”